Simpaisa Group - Regulatory Governance Suite¶

DOCUMENT 1: INTERNAL AUDIT CHARTER¶

SIMPAISA GROUP

INTERNAL AUDIT CHARTER

Field	Detail
Document Reference	SGP-GOV-006
Version	1.0
Status	Active
Owner	Board Audit and Risk Committee
Approver	Board of Directors
Effective Date	1 April 2026
Next Review Date	1 April 2027
Classification	Confidential

Document Control¶

Revision History¶

Version	Date	Author	Changes
0.1	January 2026	CEO Office / Legal	Initial draft
0.2	February 2026	ARC Chair, CFO, MLRO	Internal review and revision
0.3	March 2026	ARC	Incorporation of DFSA supervisory feedback
1.0	April 2026	Board of Directors	Board-approved final version

Distribution¶

This Charter is distributed to all members of the Board of Directors, the Audit and Risk Committee, the Executive Leadership Team, and the Head of Internal Audit (or the engagement partner of the outsourced internal audit provider). It is maintained on the Group's internal policy management system. It is not classified as Restricted and may be shared with the DFSA upon request.

Three Lines of Defence Framework (SGP-GOV-007)
Board Committee Terms of Reference (SGP-GOV-008)
Risk Appetite Statement (SGP-GOV-009)
AML/CFT Policy (SGP-FC-001)
Operational Resilience Policy (SGP-OPS-001)
Outsourcing and Third-Party Management Policy (SGP-OPS-002)
External Audit Terms of Engagement

1. Purpose and Scope¶

1.1 Purpose¶

This Internal Audit Charter ("Charter") establishes the mission, authority, independence, scope, and operating standards of the Internal Audit function ("Internal Audit" or "IA") of Simpaisa Group ("Simpaisa" or "the Group"). The Charter gives Internal Audit the authority necessary to fulfil its responsibilities and defines the principles by which it operates.

Internal Audit provides the Board of Directors and the Audit and Risk Committee ("ARC") with independent, objective assurance and advisory services designed to add value and improve the Group's operations. It assists the Group in accomplishing its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management, and internal control processes.

Internal Audit constitutes the Third Line of Defence within the Group's Three Lines of Defence framework. It operates independently from the business functions that constitute the First Line and from the oversight functions that constitute the Second Line.

This Charter is approved by the Board of Directors on the recommendation of the ARC and shall be reviewed at least annually, or whenever material changes to the Group's structure, regulatory status, or risk profile make revision necessary.

1.2 Scope¶

This Charter applies to:

All business functions, legal entities, and operating jurisdictions of the Simpaisa Group, including Simpaisa Holdings Pte Ltd and all nine subsidiary and associated entities;
All activities, products, services, and processes carried out by or on behalf of the Group, including those delivered through outsourcing arrangements or by third-party service providers where the Group retains regulatory accountability;
All employees, contractors, and agents of the Group regardless of grade, function, or location;
All systems, data, and infrastructure material to the Group's operations and regulatory obligations.

Internal Audit has the right to extend its scope to any matter it considers relevant to the fulfilment of its mission, subject to notification to the ARC.

2. Definitions¶

Term	Definition
ARC	The Board Audit and Risk Committee of Simpaisa Group.
Audit Universe	The complete inventory of auditable entities, processes, systems, and activities within the Group's scope, from which the risk-based audit plan is derived.
Charter	This Internal Audit Charter (SGP-GOV-006).
Co-sourcing	An arrangement whereby Internal Audit engages an external firm to supplement in-house IA capability for specific engagements, whilst retaining the Head of IA function internally.
External Quality Assessment	An independent review of the Internal Audit function against the IIA Standards, conducted by a qualified external assessor every five years.
Finding	An identified weakness, deficiency, or gap in controls, governance, or compliance identified during an audit engagement.
Head of Internal Audit	The individual responsible for leading the Internal Audit function; in the outsourced phase, this is the senior partner or director of the appointed firm who is the principal point of contact with the ARC.
IIA	The Institute of Internal Auditors - the global professional standards body for internal auditing.
IIA Standards	The International Professional Practices Framework (IPPF) issued by the IIA, including the Core Principles, Definition, Code of Ethics, and Standards.
INED	Independent Non-Executive Director.
Management Action Plan (MAP)	A formal response by management to an audit finding, setting out the agreed remediation action, the responsible owner, and the target completion date.
Outsourced IA	An arrangement whereby the entirety of the Internal Audit function is delivered by an external professional firm under a service agreement with the ARC.
Risk-Based Audit Plan	The annual plan of audit engagements, derived from a risk assessment of the Audit Universe and approved by the ARC.
Three Lines of Defence	The governance framework described in SGP-GOV-007.

3. Mission and Mandate¶

3.1 Mission¶

3.1.1 The mission of Internal Audit is to enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight. Internal Audit helps Simpaisa accomplish its objectives by evaluating and improving the effectiveness of governance, risk management, and internal control processes, in a manner consistent with the IIA Standards.

3.2 Authority¶

3.2.1 Internal Audit is granted full, unrestricted access to all records, personnel, premises, systems, and data of the Group that it deems necessary to discharge its mandate. This includes access to board papers, management accounts, correspondence, transaction data, system logs, and the records of third parties engaged by the Group, subject to applicable contractual and legal constraints.

3.2.2 The Head of Internal Audit has the right of direct and unrestricted access to the ARC Chair at any time, without the requirement to route communications through management. This access shall not be conditional upon management consent and shall not be subject to delay.

3.2.3 All employees and management are required to co-operate fully with Internal Audit, provide complete and accurate information on request, and refrain from any action that impairs or obstructs the conduct of an audit engagement.

3.2.4 The Head of Internal Audit shall attend ARC meetings as a standing participant, and may attend Board meetings at the invitation of the ARC Chair or Board Chair.

3.3 Independence and Objectivity¶

3.3.1 Internal Audit shall be independent of the activities and functions it audits. Independence means that Internal Audit is free from conditions that threaten its ability to carry out its responsibilities in an unbiased manner.

3.3.2 Internal Audit reports functionally to the ARC and administratively to the CEO solely for operational purposes (e.g., HR administration, budget processing). No member of management shall have the authority to direct, limit, restrict, suppress, or override the findings, opinions, or reports of Internal Audit.

3.3.3 The Head of Internal Audit (or, in the outsourced phase, the engagement partner of the appointed firm) shall be appointed and removed only with the approval of the ARC. The ARC shall conduct an annual performance assessment of the Internal Audit function and, in the outsourced phase, shall approve the terms, fees, and renewal or termination of the external provider's engagement.

3.3.4 Internal Audit shall not assume operational responsibilities for any of the activities it audits. Where advisory or consulting engagements are undertaken, Internal Audit shall not take responsibility for design, implementation, or operation of controls. Any such engagements shall be disclosed in the annual plan and shall not compromise audit independence.

3.3.5 Potential conflicts of interest shall be disclosed to the ARC Chair promptly. Where the external provider has non-audit relationships with the Group, the ARC shall assess whether independence is impaired.

4. Audit Universe and Risk-Based Planning¶

4.1 Audit Universe¶

4.1.1 The Audit Universe encompasses all significant activities, processes, functions, entities, and systems of the Group. It is maintained by Internal Audit and reviewed at least annually. The Audit Universe includes, but is not limited to, the following domains:

Domain	Sub-areas
AML/CFT	Customer due diligence, transaction monitoring, STR processes, PEP and sanctions screening, correspondent banking
Sanctions Compliance	Screening programme design, screening technology, override governance, OFAC/UN/EU/HMT coverage, sanctions risk assessment
Fraud Risk	Internal fraud controls, payment fraud detection, identity fraud, first-party fraud, refund abuse, authorisation fraud
Information Technology and Cyber Security	Access control, vulnerability management, patch management, penetration testing, cloud security, SDLC security
Operational Resilience	Business continuity, disaster recovery, incident management, critical service mapping, impact tolerance testing
Client Money	Client account segregation, reconciliation, withdrawal controls, client money audit (annual statutory requirement)
Regulatory Compliance	DFSA licence conditions, regulatory reporting, regulatory change management, country licence obligations
Financial Reporting	Management accounts accuracy, regulatory financial returns, treasury and liquidity controls, accounting policy application
Outsourcing and Third-Party Risk	Vendor due diligence, contract governance, exit planning, concentration risk, fourth-party risk
Data Governance	Data quality, data lineage, privacy (PDPA, GDPR-aligned obligations), data retention and disposal
Human Resources and Conduct	Recruitment screening, fit and proper compliance, conflicts of interest, whistleblowing programme effectiveness
Product and Commercial	Product launch governance, merchant onboarding, pricing controls, incentive scheme compliance

4.1.2 The Audit Universe shall be updated whenever the Group launches new products, enters new markets, makes material changes to its technology estate, or acquires or establishes new entities.

4.2 Risk Assessment¶

4.2.1 Internal Audit shall conduct an annual risk assessment of the Audit Universe to determine the relative risk of each auditable entity and to prioritise audit engagements accordingly. The risk assessment shall consider:

Inherent risk (likelihood and impact of control failure);
Control environment maturity (assessed against prior findings and management self-assessments);
Regulatory significance (DFSA priority areas, supervisory themes, peer enforcement actions);
Change and transformation activity (new systems, new markets, new products, outsourcing transitions);
Time elapsed since the last audit of the area.

4.2.2 The risk assessment methodology and its outputs shall be documented and presented to the ARC for review and challenge before the annual audit plan is finalised.

4.3 Risk-Based Audit Plan¶

4.3.1 The Head of Internal Audit shall prepare and submit an annual risk-based audit plan ("Audit Plan") to the ARC for approval, ordinarily at the ARC's Q4 meeting for the following calendar year.

4.3.2 The Audit Plan shall specify:

Each planned audit engagement, the domain from the Audit Universe, and the planned timing;
The estimated resource requirement (days or FTE, whether in-house or outsourced);
Any engagements deferred from the prior year and the rationale;
Any follow-up or thematic reviews required by outstanding findings or regulatory direction;
The mandatory client money audit (annual).

4.3.3 The Audit Plan may be amended during the year with ARC approval to reflect material changes in the Group's risk profile, regulatory direction, or significant incidents. Emergency or unplanned audits may be commissioned by the ARC Chair between scheduled meetings.

4.3.4 Internal Audit shall notify the ARC of any resource constraints that prevent the full execution of the approved Audit Plan.

5. Conduct of Audit Engagements¶

5.1 Standards¶

5.1.1 All audit engagements shall be conducted in accordance with the IIA Standards and the IIA Code of Ethics. Internal Audit shall maintain the quality, objectivity, and professionalism required by those Standards in all its work.

5.1.2 In the outsourced phase, the appointed firm shall confirm annually in writing that it has conducted engagements in accordance with the IIA Standards and its own professional quality standards.

5.2 Engagement Planning¶

5.2.1 For each audit engagement, Internal Audit shall prepare an engagement planning document setting out:

Objectives and scope of the engagement;
Relevant risks and control areas to be examined;
Proposed audit procedures and sampling approach;
Engagement team and timeline;
Any reliance to be placed on the work of the Second Line (e.g., prior compliance monitoring results).

5.2.2 The engagement plan shall be shared with the relevant business owner at the commencement of fieldwork. Management may request scoping adjustments, but final decisions on scope rest with Internal Audit.

5.3 Fieldwork¶

5.3.1 Fieldwork shall include, as appropriate: review of documentation and records, data analytics, testing of controls, process walkthroughs, interviews with management and staff, and observation of operations.

5.3.2 Internal Audit may use data analytics and automated testing tools to improve efficiency and coverage. The use of such tools shall be documented in the working papers.

5.4 Reporting¶

5.4.1 Upon completion of fieldwork, Internal Audit shall issue a draft audit report to the relevant management team for factual accuracy review. Management shall have ten business days to respond.

5.4.2 The final audit report shall include:

An overall opinion on the adequacy and effectiveness of the control environment examined;
Individual findings, each rated in accordance with section 5.5;
For each finding: a description of the issue, the risk it creates, the root cause, and a recommended management action;
Management's agreed action plan (MAP) for each finding, including the responsible owner and target completion date;
A summary of any prior findings relating to the same area.

5.4.3 Final audit reports shall be distributed to: the ARC, the CEO, the relevant business owner, the CFO, the MLRO, and (where applicable) the external auditor.

5.5 Finding Rating Scale¶

Rating	Definition	Escalation
Critical	A material control failure presenting an immediate and significant risk to the Group's financial position, regulatory standing, customers, or the Group's ability to operate. Indicative of a fundamental breakdown in governance or compliance.	Reported to the full Board within five business days of the finding being confirmed. CEO and ARC Chair notified immediately.
High	A significant control weakness that materially increases the risk of financial loss, regulatory breach, customer detriment, or reputational damage if not remediated promptly.	Reported to ARC at the next scheduled meeting or earlier if the ARC Chair deems appropriate.
Medium	A control weakness that represents a moderate risk and requires management attention and remediation within a reasonable timeframe.	Reported to ARC in the quarterly findings summary.
Low	A minor control deficiency or process improvement opportunity with limited immediate risk impact.	Reported to ARC in the quarterly findings summary.

6. Reporting to the Audit and Risk Committee¶

6.1 Quarterly Reporting¶

6.1.1 The Head of Internal Audit shall provide a written report to each quarterly ARC meeting. The quarterly report shall include:

A summary of audit engagements completed since the last report, with overall opinions;
All open findings by rating, responsible owner, and target date;
A RAG (Red/Amber/Green) status for the Audit Plan execution against plan;
Any material changes to the risk assessment underlying the Audit Plan;
Any instances of management non-co-operation or obstruction;
An update on the remediation of overdue findings.

6.2 Annual Report¶

6.2.1 At the end of each calendar year, the Head of Internal Audit shall present an annual report to the ARC setting out:

An overall opinion on the adequacy and effectiveness of the Group's governance, risk management, and internal control framework;
A summary of all findings during the year, by rating and domain;
An assessment of audit plan coverage achieved against the approved plan;
The resource profile (days delivered, cost) of the Internal Audit function;
Proposed audit plan for the following year;
Any quality matters arising from the outsourced provider's internal quality review.

6.3 Critical Finding Escalation¶

6.3.1 Where Internal Audit identifies a Critical finding during fieldwork (whether or not the report has been finalised), the Head of Internal Audit shall notify the ARC Chair directly and without delay. The ARC Chair shall determine whether an emergency meeting of the ARC or a report to the full Board is required.

6.3.2 Critical findings shall be reported to the full Board at the next scheduled Board meeting, and in any event within thirty calendar days of confirmation.

7. Follow-Up and Management Action Plans¶

7.1 Management Accountability¶

7.1.1 Management is responsible for implementing agreed Management Action Plans within the target dates set out in final audit reports. Responsibility for each action shall be assigned to a named individual.

7.1.2 Management shall provide Internal Audit with evidence of completion for each action on or before the agreed target date. Internal Audit shall validate the evidence and confirm closure.

7.2 Overdue Findings¶

7.2.1 Where a Management Action Plan is not completed by the agreed target date, the finding shall be classified as overdue. Overdue findings shall be escalated as follows:

Overdue Period	Escalation Action
1–30 days overdue	Internal Audit notifies the relevant senior manager in writing.
31–60 days overdue	Internal Audit notifies the CEO and CFO in writing.
61–90 days overdue	Reported to the ARC at the next meeting, or by written report if no meeting is imminent.
90+ days overdue (Critical or High)	Reported to the full Board. ARC to consider whether the issue should be disclosed to the DFSA.

7.2.2 The ARC may, in exceptional circumstances, agree to extend a target date upon receipt of a written request from the relevant Executive Leadership Team member, provided that a satisfactory explanation and revised plan are provided.

7.3 Thematic Reviews¶

7.3.1 Where repeat findings are identified in the same domain across consecutive audit cycles, Internal Audit shall conduct a thematic review to assess whether systemic control weaknesses exist. The results of thematic reviews shall be presented to the ARC.

8. Staffing and Resourcing¶

8.1 Current Phase: Outsourced Model¶

8.1.1 At the Group's current scale (approximately 180 employees), the Internal Audit function shall be fully outsourced to a reputable professional services firm with demonstrated expertise in financial services, payments, AML/CFT, and technology audit. The appointed firm shall be a Big 4 firm or a recognised specialist internal audit provider with equivalent capability.

8.1.2 The ARC shall be responsible for the selection, appointment, fee approval, and performance assessment of the outsourced provider. The ARC shall assess the appointment at least every three years, using a formal tender process where appropriate.

8.1.3 The engagement partner of the outsourced firm shall fulfil the role of Head of Internal Audit for the purposes of this Charter, including all reporting obligations to the ARC, attendance at ARC meetings, and direct access arrangements.

8.1.4 Where specialist expertise is required for specific engagements (e.g., IT security, forensic accounting, regulatory expertise in a particular jurisdiction), the outsourced provider may engage sub-specialists. The ARC shall be notified of any material sub-specialisation arrangements.

8.2 Transition to In-House Model¶

8.2.1 The Board has determined in principle that the Group shall establish an in-house Internal Audit function when the Group's employee headcount reaches 250 or above, or earlier if the Board determines that the Group's regulatory complexity, product maturity, or risk profile warrants it.

8.2.2 The transition plan shall be prepared by the ARC and shall address: the recruitment of a qualified Head of Internal Audit (at a senior level commensurate with the Group's size, reporting to the ARC); the co-sourcing arrangements during the transition; the handover of institutional knowledge from the outgoing provider; and the budget requirements.

8.2.3 The Head of Internal Audit, once appointed on an in-house basis, shall be a qualified professional holding membership of the IIA or an equivalent professional body, and shall have demonstrable experience in financial services internal audit.

8.2.4 In the in-house model, the Head of Internal Audit shall report functionally to the ARC and administratively to the CEO. The ARC shall approve the appointment and removal of the Head of Internal Audit.

8.3 Budget¶

8.3.1 The Internal Audit budget shall be approved annually by the ARC, as part of the Group's budget process. The budget shall be sufficient to execute the approved Audit Plan in full without material compromise to scope or quality.

8.3.2 The CFO shall include the Internal Audit budget as a distinct line item in the Group's financial reporting to the Board.

9. Quality Assurance and Continuous Improvement¶

9.1 Internal Quality Assurance¶

9.1.1 Internal Audit shall maintain an internal quality assurance and improvement programme. In the outsourced phase, this shall be evidenced through the provider's own quality review procedures, results of which shall be shared with the ARC annually.

9.1.2 The Head of Internal Audit shall seek feedback from ARC members and senior management on the quality, timeliness, and practical value of audit reports and shall use this feedback to improve future engagements.

9.2 External Quality Assessment¶

9.2.1 The Internal Audit function shall undergo an external quality assessment ("EQA") at least once every five years, in accordance with the IIA Standards. The EQA shall be conducted by a qualified, independent assessor who has no conflicts of interest with the Group or the Internal Audit provider.

9.2.2 The results of the EQA shall be reported directly to the ARC. Management shall have no right to review or amend the EQA report before it is presented to the ARC.

9.2.3 Where the EQA identifies areas of non-conformance with the IIA Standards, the Head of Internal Audit shall prepare a remediation plan for ARC approval within 60 calendar days of the EQA report being finalised.

9.3 Conformance Declaration¶

9.3.1 The Head of Internal Audit shall state in each annual report whether Internal Audit conforms with the IIA Standards, and shall disclose any instances of non-conformance and the steps being taken to address them.

10. Regulatory Context¶

10.1 DFSA Requirements¶

10.1.1 The Group is subject to the rules and guidance of the Dubai Financial Services Authority in respect of its DIFC-regulated entity, including the requirements applicable to a Category 3D licence. The Internal Audit function is designed to satisfy the DFSA's expectations regarding adequate systems and controls, governance arrangements, and independent assurance.

10.1.2 The DFSA may request access to Internal Audit reports, findings, and working papers in the exercise of its supervisory functions. The Head of Internal Audit shall notify the ARC Chair before providing any material to the DFSA.

10.1.3 Findings relating to potential regulatory breaches, including AML/CFT, sanctions, client money, or licence condition failures, shall be communicated to the MLRO and the ARC Chair promptly, regardless of the stage of the audit engagement.

10.2 Multi-Jurisdictional Considerations¶

10.2.1 The Group operates under multiple regulatory frameworks across Pakistan, Bangladesh, Nepal, Iraq, the UAE, Canada, the United Kingdom, and Singapore. The Internal Audit function shall have awareness of, and shall audit compliance with, applicable local regulatory requirements in each jurisdiction.

10.2.2 Where local regulatory requirements mandate specific audit or assurance activities (e.g., a statutory audit of client funds in a particular jurisdiction), Internal Audit shall co-ordinate with the relevant local advisers or statutory auditors to ensure coverage and avoid duplication.

11. Charter Maintenance¶

11.1 This Charter shall be reviewed annually by the ARC and approved by the Board of Directors.

11.2 Material amendments to the Charter shall be reported to the DFSA where required under applicable rules.

11.3 The Charter shall be made available to the DFSA upon request and shall be provided to any incoming Head of Internal Audit as part of their induction.

12. Approval¶

Role	Name	Date
ARC Chair	[INED Name]	April 2026
Board Chair	Nadeem Hussain	April 2026
CEO	Yassir Pasha	April 2026

---¶

DOCUMENT 2: THREE LINES OF DEFENCE FRAMEWORK¶

SIMPAISA GROUP

THREE LINES OF DEFENCE FRAMEWORK

Field	Detail
Document Reference	SGP-GOV-007
Version	1.0
Status	Active
Owner	Chief Executive Officer (in consultation with ARC)
Approver	Board of Directors
Effective Date	1 April 2026
Next Review Date	1 April 2027
Classification	Internal

Document Control¶

Revision History¶

Version	Date	Author	Changes
0.1	January 2026	CEO Office, CDO Office	Initial draft
0.2	February 2026	MLRO, CFO, CTO	Internal review
0.3	March 2026	ARC	Alignment with Internal Audit Charter
1.0	April 2026	Board of Directors	Board-approved final version

Internal Audit Charter (SGP-GOV-006)
Board Committee Terms of Reference (SGP-GOV-008)
Risk Appetite Statement (SGP-GOV-009)
AML/CFT Policy (SGP-FC-001)
Operational Resilience Policy (SGP-OPS-001)
Risk Management Framework (SGP-RISK-001)

1. Purpose¶

This Framework document describes Simpaisa Group's adoption of the Three Lines of Defence model as its primary governance architecture for risk management and control assurance. It defines the responsibilities and accountabilities of each line, maps Simpaisa's functions and leadership roles to the appropriate line, and sets out the escalation paths between lines and the Board's oversight role.

This document is not a standalone policy. It is a framework descriptor that operates alongside and is supported by the Group's suite of policies, the Internal Audit Charter (SGP-GOV-006), and the Board Committee Terms of Reference (SGP-GOV-008). All Simpaisa employees, at every level, operate within this framework.

2. The Three Lines of Defence Model¶

The Three Lines of Defence model (updated IIA model, 2020) provides a coherent structure for understanding how governance, risk management, and control responsibilities are distributed across an organisation. At Simpaisa, the model is adapted to reflect the Group's current scale, its cross-border payments operating model, and its DFSA Category 3D regulatory obligations.

The three lines are:

First Line - Own the risk. Business functions and operational teams design, implement, and operate the day-to-day controls that manage risk within the Group's risk appetite.

Second Line - Oversee and challenge. Risk and compliance functions set standards, monitor adherence, provide advice and guidance to the First Line, and challenge where standards are not met.

Third Line - Independent assurance. Internal Audit provides the Board and the ARC with independent, objective assurance that the First and Second Lines are functioning effectively.

Above all three lines, the Board of Directors provides ultimate governance oversight, sets the risk appetite, and holds management accountable for the effectiveness of the control environment.

3. First Line of Defence: Business and Operations¶

3.1 Role and Responsibilities¶

The First Line comprises all business-facing and operational functions that create, manage, and own risks in the course of delivering the Group's products and services. First Line teams are closest to the Group's risks and are responsible for the primary controls that manage those risks within approved appetite.

First Line responsibilities include:

Identifying, assessing, and managing risks arising from their own activities, within the boundaries set by Group policy and the Risk Appetite Statement;
Designing and implementing effective operational controls - including process controls, system controls, maker-checker arrangements, reconciliation disciplines, and segregation of duties;
Complying with all applicable Group policies, procedures, regulatory requirements, and internal standards;
Reporting control failures, near-misses, and incidents to the Second Line in a timely manner, using the Group's incident management process;
Completing mandatory training and maintaining the knowledge necessary to meet their compliance obligations;
Supporting Second Line reviews and Third Line audits, and implementing agreed Management Action Plans within agreed timescales.

First Line teams may not self-certify the effectiveness of their own controls without independent oversight from the Second or Third Line.

3.2 First Line Functions at Simpaisa¶

Function / Leadership Role	First Line Responsibilities
Technology / Engineering (CTO)	Secure development, system availability, infrastructure controls, change management, incident response at system level, vulnerability patching within approved timescales.
Product (CPO)	Product design governance, product launch approval process, new feature risk assessment, customer journey controls, compliance with product policies.
Operations (COO)	Payment processing, settlement, reconciliation, operational incident management, customer operations, outsourced operations oversight, fraud operations.
Commercial / Sales	Merchant and partner onboarding within approved criteria, commercial agreement compliance, referral controls, pricing adherence.
Finance (CFO - reporting function)	Financial record-keeping, management accounts preparation, treasury operations, expense management, payroll, regulatory financial returns preparation.
Country Operations (Country Heads)	Local regulatory compliance execution, local staff management, in-country incident reporting, local licence condition adherence.
People / HR (CPO)	Recruitment screening, onboarding, right-to-work verification, training completion, conduct management.

3.3 First Line Control Expectations¶

First Line teams are expected to maintain documented controls proportionate to the risks of their activities, including:

Written procedures for all material processes;
Maker-checker controls on all payment instructions, configuration changes, and high-value transactions;
Segregation of duties preventing any individual from initiating, approving, and reconciling the same transaction;
Timely reconciliation of all settlement accounts, float accounts, and client money accounts;
Regular management self-assessment of control effectiveness, submitted to the Second Line quarterly.

4. Second Line of Defence: Risk and Compliance Oversight¶

4.1 Role and Responsibilities¶

The Second Line comprises the oversight functions that are independent of the day-to-day business operations. The Second Line does not own or manage operational risks; it sets the standards, frameworks, and policies within which the First Line operates, monitors adherence, provides expert advice and guidance, and escalates concerns to senior management and the Board where the First Line's controls are inadequate.

Second Line responsibilities include:

Developing and maintaining the Group's risk management framework, risk appetite, and risk policies;
Setting compliance standards and monitoring First Line adherence to Group policies and regulatory requirements;
Advising the First Line on the regulatory and risk implications of business decisions, product launches, and market entry;
Conducting independent monitoring and testing of First Line controls (distinct from Internal Audit, which is deeper and more formal);
Providing independent oversight of AML/CFT, sanctions, fraud, data governance, and financial crime risk;
Reporting to the ARC, the Compliance and Regulatory Committee, and the Technology and Information Security Committee on the state of the control environment;
Escalating material control failures or regulatory concerns that the First Line has not adequately remediated.

The Second Line must be operationally independent from the First Line it oversees. Second Line function heads shall not have management responsibility for First Line activities.

4.2 Second Line Functions at Simpaisa¶

Function / Leadership Role	Second Line Responsibilities
MLRO / Compliance	AML/CFT programme ownership, sanctions programme ownership, STR oversight, regulatory reporting, DFSA relationship management, compliance monitoring, regulatory change management, financial crime risk assessment, conduct risk oversight.
Risk Management	Risk framework, risk register ownership, risk appetite monitoring, operational risk event oversight, risk reporting to ARC, emerging risk identification, credit and counterparty risk oversight.
Data Governance (CDO - governance function)	Data governance framework, data quality standards, privacy compliance (PDPA, GDPR-aligned), data classification policy, data retention standards, oversight of First Line data practices.
CISO (security risk oversight function)	Information security policy, cyber risk assessment, security risk framework, security exception governance, third-party security risk, security standards for First Line technology teams.
CFO (financial controls function)	Financial control framework, finance policy ownership, budget governance, treasury policy, audit liaison (financial reporting), independent financial risk oversight.

4.3 Second Line Independence¶

4.3.1 The MLRO reports to the CEO with a direct reporting line to the ARC and the Compliance and Regulatory Committee. The MLRO has the right to report directly to the ARC Chair without reference to management.

4.3.2 Second Line function heads shall not have their remuneration determined by business performance targets of the First Line areas they oversee, in order to preserve independence.

4.3.3 The Second Line shall conduct periodic monitoring reviews - at least quarterly for high-risk areas - and shall report findings to the relevant Board Committee. These reviews are distinct from Internal Audit engagements and are designed to provide continuous rather than periodic assurance.

5. Third Line of Defence: Internal Audit¶

5.1 Role and Responsibilities¶

The Third Line is Internal Audit, operating under the Internal Audit Charter (SGP-GOV-006). Internal Audit provides independent, objective assurance to the Board and the ARC that the First and Second Lines are functioning effectively - that risks are being identified and managed appropriately, that controls are adequately designed and operating effectively, and that governance arrangements are sound.

The Third Line is independent of both the First and Second Lines. It does not design controls, implement policies, or take management responsibility for any risk. Its role is to test, evaluate, and report.

Internal Audit responsibilities include:

Executing the risk-based annual audit plan approved by the ARC;
Testing the design and operating effectiveness of First Line controls across the full Audit Universe;
Assessing whether Second Line oversight functions are performing their role effectively;
Reporting findings, with ratings and Management Action Plans, to the ARC;
Following up on the remediation of agreed actions and escalating overdue items;
Providing the ARC with an annual overall opinion on the adequacy of the Group's governance, risk management, and control environment.

5.2 Reporting Line¶

Internal Audit reports functionally to the ARC and has no management reporting line that could impair its independence. The Head of Internal Audit has the right of direct and unrestricted access to the ARC Chair.

6. Function Mapping Summary¶

Simpaisa Function	Primary Line	Secondary Line	Notes
CTO / Engineering	1st	-	All technology operations and development activities.
CPO / Product	1st	-	Product design, launch, and management.
COO / Operations	1st	-	Payments, settlements, reconciliation, customer operations.
Commercial / Sales	1st	-	Merchant onboarding and commercial relationships.
CPO / People and HR	1st	-	Recruitment, conduct, training.
CFO / Finance	1st and 2nd	-	1st line: financial reporting and treasury operations. 2nd line: financial control framework and policy ownership.
CISO	1st and 2nd	-	1st line: operational security delivery. 2nd line: security risk framework and oversight of engineering security practices.
CDO	1st and 2nd	-	1st line: technology strategy and delivery. 2nd line: data governance standards and privacy oversight.
MLRO / Compliance	2nd	-	Compliance oversight, AML/CFT, sanctions, regulatory.
Risk Management	2nd	-	Risk framework, risk appetite monitoring, risk reporting.
Internal Audit	3rd	-	Independent assurance to ARC. Reports to ARC, not management.
Country Heads	1st	-	Local regulatory execution and in-country operations.

Where a function spans two lines, the individual concerned must maintain clear role separation and must not allow their Second Line responsibilities to be compromised by their First Line accountability. For roles spanning lines (CFO, CISO, CDO), the respective Board Committee Terms of Reference set out how this separation is maintained in practice.

7. Escalation Paths Between Lines¶

Scenario	Action	Escalation Path
First Line identifies a control failure or incident	First Line reports to Second Line (MLRO, Risk, or CISO depending on type) within 24 hours of identification.	First Line → Second Line → ARC (if material)
Second Line identifies a First Line control deficiency through monitoring	Second Line issues a monitoring finding to the First Line with a remediation deadline. Unresolved issues escalated to CEO.	Second Line → First Line → CEO → ARC
Second Line identifies a potential regulatory breach	MLRO notifies ARC Chair and CEO immediately. Regulatory notification obligations assessed.	MLRO → ARC Chair / CEO → DFSA (if required)
Third Line identifies a Critical or High finding during audit	Internal Audit notifies ARC Chair directly. Draft finding shared with management for factual review (10 business days).	Head of IA → ARC Chair → Board (for Critical)
Third Line identifies a potential regulatory breach during audit	Internal Audit notifies ARC Chair and MLRO immediately, before finalisation of the audit report.	Head of IA → ARC Chair + MLRO → CEO → DFSA (if required)
Management Action Plan overdue (60+ days, High or Critical)	Internal Audit escalates to ARC in writing. ARC considers whether Board notification is required.	Head of IA → ARC → Board
Whistleblowing report implicating management	Reported to MLRO and ARC Chair, bypassing normal management line.	Whistleblower → MLRO or ARC Chair → Board

8. Board and Governance Oversight¶

The Board of Directors sits above all three lines. The Board:

Sets the Group's risk appetite and approves the Risk Appetite Statement;
Approves this Framework, the Internal Audit Charter, and the Board Committee Terms of Reference;
Receives consolidated risk and control reporting from all three lines, through the ARC, the Compliance and Regulatory Committee, and the Technology and Information Security Committee;
Holds the CEO, and through the CEO the entire First and Second Lines, accountable for the effectiveness of the control environment;
Receives independent assurance from the Third Line, ensuring it is not solely reliant on management reporting.

The ARC is the primary Board Committee through which the Three Lines framework is governed. The ARC oversees the Internal Audit function, approves the annual audit plan, reviews all significant findings, and challenges management on the adequacy of remediation.

9. Annual Review¶

This Framework shall be reviewed annually by the ARC and approved by the Board. It shall be updated whenever material changes to the Group's structure, regulatory obligations, or risk profile make revision necessary.

10. Approval¶

Role	Name	Date
ARC Chair	[INED Name]	April 2026
CEO	Yassir Pasha	April 2026
Board Chair	Nadeem Hussain	April 2026

---¶

DOCUMENT 3: BOARD COMMITTEE TERMS OF REFERENCE¶

SIMPAISA GROUP

BOARD COMMITTEE TERMS OF REFERENCE

Field	Detail
Document Reference	SGP-GOV-008
Version	1.0
Status	Active
Owner	Board of Directors
Approver	Board of Directors
Effective Date	1 April 2026
Next Review Date	1 April 2027
Classification	Confidential

Document Control¶

Revision History¶

Version	Date	Author	Changes
0.1	January 2026	CEO Office / Legal / Company Secretary	Initial draft
0.2	February 2026	Board Chair, ARC Chair, CEO	Internal review and revision
0.3	March 2026	All Committee Chairs	Committee-specific review and input
1.0	April 2026	Board of Directors	Board-approved final version

Distribution¶

This document is distributed to all members of the Board of Directors, all Committee members, and the Company Secretary. It is maintained on the Group's board management system. It is available to the DFSA and other regulators upon request.

Internal Audit Charter (SGP-GOV-006)
Three Lines of Defence Framework (SGP-GOV-007)
Risk Appetite Statement (SGP-GOV-009)
Articles of Association / Constitutional Documents of Simpaisa Holdings Pte Ltd
DFSA Category 3D Regulatory Requirements
Remuneration Policy (SGP-GOV-001)

Preliminary: Common Provisions¶

The following provisions apply to all four Board Committees established under these Terms of Reference.

Delegation. Each Committee is a standing committee of the Board of Directors, established by and deriving its authority from the Board. Committees may make decisions within their delegated authority; they may not take decisions that are reserved to the full Board under the Group's Reserved Matters schedule.

Reporting to the Board. Each Committee Chair shall report to the Board at the first full Board meeting following each Committee meeting, summarising matters discussed and any resolutions passed. Minutes of Committee meetings shall be provided to all Board members.

Minutes. The Company Secretary, or a person designated by the Committee Chair, shall act as secretary to each Committee and shall maintain accurate minutes of all meetings. Draft minutes shall be circulated to Committee members within ten business days of each meeting.

Conflicts of Interest. Committee members shall declare any actual or potential conflicts of interest at the commencement of each meeting. A member with a material conflict on a specific agenda item shall withdraw from discussion and decision on that item.

Observer Attendance. The Board Chair may attend any Committee meeting as an observer. Other Board members, regulators, or advisers may attend by invitation of the Committee Chair.

Committee Reviews. Each Committee shall review its Terms of Reference annually and recommend any amendments to the full Board for approval.

Committees. The four standing Board Committees are:

Audit and Risk Committee (ARC)
Compliance and Regulatory Committee (CRC)
Remuneration and Nomination Committee (RemNomCo)
Technology and Information Security Committee (TISCo)

Part 1: Audit and Risk Committee (ARC)¶

1.1 Purpose¶

The Audit and Risk Committee provides oversight of financial reporting integrity, external audit, internal audit, risk management, regulatory compliance assurance, and client money. It is the primary Board Committee through which the Board receives independent assurance on the effectiveness of the Group's control environment.

1.2 Composition¶

1.2.1 The ARC shall comprise a minimum of three members of the Board of Directors, the majority of whom shall be non-executive directors.

1.2.2 The ARC shall be chaired by an Independent Non-Executive Director (INED). The Chair shall have relevant financial qualifications or experience commensurate with the oversight role (e.g., qualified accountant, senior financial services professional, or equivalent).

1.2.3 The CEO and CFO shall not be members of the ARC. The CFO shall attend as a standing invitee (see 1.4) but shall not vote.

1.2.4 At least one member of the ARC shall have recent and relevant financial services risk or compliance experience.

1.2.5 The Board shall appoint ARC members for renewable terms of three years.

1.3 Quorum and Decisions¶

1.3.1 The quorum for an ARC meeting shall be two members, provided the ARC Chair or a designated alternate is present.

1.3.2 Decisions shall be made by simple majority of members present. In the event of a tied vote, the Chair shall have a casting vote.

1.3.3 The ARC Chair may convene an extraordinary meeting at any time, including at short notice where the nature of a matter requires it. Such meetings are quorate on the same basis as scheduled meetings.

1.4 Standing Invitees¶

The following individuals shall be standing invitees to all scheduled ARC meetings and shall attend unless excused by the ARC Chair:

Chief Financial Officer (CFO)
Money Laundering Reporting Officer (MLRO)
Head of Internal Audit (or engagement partner of the outsourced provider)
Chief Risk Officer / Head of Risk (where the role exists)

The lead partner of the external auditor shall attend at least one ARC meeting per year to present the audit plan, interim findings, and audit conclusions. The external auditor may meet with the ARC in private session without management present.

1.5 Meeting Frequency¶

1.5.1 The ARC shall meet at least four times per calendar year (quarterly), with meetings scheduled to align with the Group's financial reporting and audit cycles.

1.5.2 Additional ad hoc meetings may be convened at any time at the request of the ARC Chair, any two ARC members, the Head of Internal Audit, or the external auditor.

1.5.3 The ARC Chair shall meet with the Head of Internal Audit and the external auditor separately from management at least once per year.

1.6 Responsibilities¶

1.6.1 Financial Reporting¶

Review and recommend to the Board approval of the annual financial statements of the Group and of the DIFC-regulated entity, ensuring they present a true and fair view;
Monitor the integrity of the Group's financial reporting, including judgements and estimates applied in preparing the accounts;
Review and challenge accounting policies and any material changes proposed by management;
Review significant financial reporting risks and the controls designed to mitigate them.

1.6.2 External Audit¶

Oversee the relationship with the external auditor on behalf of the Board;
Recommend to the Board the appointment, reappointment, or removal of the external auditor;
Approve the external audit scope and engagement terms;
Review and discuss the external audit report, management letter, and management's responses;
Assess the independence and objectivity of the external auditor, including reviewing any non-audit services provided;
Conduct a formal assessment of external audit effectiveness at least annually.

1.6.3 Internal Audit¶

Approve the Internal Audit Charter and recommend it to the Board;
Approve the annual risk-based internal audit plan;
Receive quarterly and annual reports from the Head of Internal Audit;
Oversee the appointment, performance, and (in the outsourced phase) renewal or replacement of the internal audit provider;
Review all audit findings and management responses, with particular focus on Critical and High findings;
Monitor the progress of Management Action Plans and escalate overdue items to the Board where necessary;
Commission special or ad hoc audit engagements as the ARC deems appropriate;
Review the results of the external quality assessment of Internal Audit (every five years per IIA Standards).

1.6.4 Risk Management¶

Review and recommend to the Board for approval the Group's Risk Appetite Statement and any material amendments;
Oversee the adequacy and effectiveness of the Group's risk management framework;
Receive periodic risk reports from the Chief Risk Officer or Risk Management function;
Review the Group's principal risks and uncertainties, and the controls in place to manage them within appetite;
Assess whether the Group's overall risk profile is consistent with the approved Risk Appetite Statement.

1.6.5 Compliance Monitoring¶

Receive reports from the MLRO on the status of the Group's AML/CFT and sanctions programme;
Receive updates on regulatory findings, enforcement actions, or supervisory communications;
Consider whether any matters require reporting to the Board or to the DFSA;
Review the Group's compliance monitoring plan and results.

1.6.6 Client Money Audit¶

Receive and review the annual client money audit report;
Satisfy itself that client funds are segregated and managed in accordance with applicable regulatory requirements;
Ensure that any client money deficiencies are remediated promptly and reported where required.

1.6.7 Operational Resilience¶

Review the Group's operational resilience framework and the results of impact tolerance testing;
Receive reports on significant operational incidents and the Group's response;
Satisfy itself that business continuity and disaster recovery arrangements are adequate and regularly tested.

Part 2: Compliance and Regulatory Committee (CRC)¶

2.1 Purpose¶

The Compliance and Regulatory Committee oversees the Group's regulatory strategy, licence compliance, financial crime programme, and engagement with all regulators across the Group's operating jurisdictions. It provides a dedicated Board-level forum for financial crime and regulatory matters that require more focused attention than the full Board or ARC agenda permits.

2.2 Composition¶

2.2.1 The CRC shall comprise a minimum of three members, including:

The Money Laundering Reporting Officer (MLRO);
The Group Head of Regulatory Affairs (or equivalent);
The Chief Digital Officer (CDO).

2.2.2 The CRC should include at least one non-executive director. The CRC Chair may be an executive or non-executive member, as determined by the Board.

2.2.3 Where the MLRO is an executive of the Group, the Board shall ensure that the CRC's composition is sufficient to provide appropriate challenge to management on financial crime matters.

2.2.4 The CEO and COO shall be standing invitees (see 2.4) and shall not be voting members unless they are separately appointed as members.

2.3 Quorum and Decisions¶

2.3.1 The quorum for a CRC meeting shall be two members, provided the MLRO is present or has submitted a written report.

2.3.2 Decisions shall be by simple majority of members present. Where the MLRO is unable to attend in person, a written update must be circulated in advance.

2.4 Standing Invitees¶

Chief Executive Officer (CEO)
Chief Operating Officer (COO)
Chief Financial Officer (CFO) (for matters with financial reporting implications)
Country Compliance Officers / Heads (as relevant to the agenda)
Head of Sanctions (where the role exists separately)

2.5 Meeting Frequency¶

2.5.1 The CRC shall meet at least four times per calendar year (quarterly).

2.5.2 The MLRO or any two members may request an extraordinary meeting at any time, including in response to a significant suspicious transaction, regulatory inquiry, or enforcement action.

2.6 Responsibilities¶

2.6.1 Regulatory Strategy¶

Review and recommend the Group's regulatory strategy, including approach to licence applications, regulatory change, and jurisdiction prioritisation;
Oversee the status of all Group licences, registrations, and exemptions across all operating jurisdictions;
Assess the Group's readiness for DFSA Category 3D authorisation and monitor the progress of the licence application;
Review and advise on the Group's approach to engagement with the DFSA and other regulators.

2.6.2 Licence Compliance¶

Receive reports on compliance with all licence conditions applicable to each regulated entity within the Group;
Review any licence condition breaches, near-misses, or regulatory correspondence;
Recommend to the Board any material regulatory disclosures or notifications.

2.6.3 AML/CFT Programme¶

Oversee the Group's AML/CFT programme in respect of its design, resourcing, and effectiveness;
Review the MLRO's annual AML/CFT report;
Approve material changes to the Group's AML/CFT policy, risk assessment, or customer due diligence standards;
Monitor the performance of transaction monitoring systems and the volume and quality of alerts;
Review the Group's money laundering and terrorist financing risk assessment and update frequency.

2.6.4 Sanctions Programme¶

Oversee the Group's sanctions compliance programme, including the coverage of screening lists (OFAC, UN, EU, HMT, and applicable local lists);
Review the governance of sanctions screening overrides and escalations;
Receive reports on significant sanctions screening events;
Assess the adequacy of the sanctions programme in the context of the Group's market presence in higher-risk jurisdictions (PK, BD, NP, IQ).

2.6.5 Suspicious Transaction Reporting¶

Receive regular reports on the volume, nature, and disposition of internal suspicious activity reports;
Review the quality and timeliness of Suspicious Transaction Reports (STRs) submitted to competent authorities;
Assess whether the Group's STR process is fit for purpose and appropriately resourced.

2.6.6 Regulatory Change Management¶

Oversee the Group's process for identifying, assessing, and implementing regulatory change;
Review horizon-scanning reports on forthcoming regulatory developments in the Group's operating jurisdictions;
Ensure that regulatory change is translated into policy and operational changes in a timely manner.

2.6.7 DFSA Relationship¶

Maintain oversight of the Group's engagement with the DFSA, including the Category 3D application process, supervisory visits, and ongoing regulatory dialogue;
Receive and consider all correspondence from the DFSA and other principal regulators;
Recommend to the Board any response to DFSA communications that has material strategic or financial implications.

Part 3: Remuneration and Nomination Committee (RemNomCo)¶

3.1 Purpose¶

The Remuneration and Nomination Committee oversees the Group's remuneration framework, executive compensation, equity incentive arrangements, and the composition, succession, and fitness and propriety of the Board and senior management.

3.2 Composition¶

3.2.1 RemNomCo shall comprise a minimum of three members of the Board, the majority of whom shall be non-executive directors.

3.2.2 RemNomCo shall be chaired by an Independent Non-Executive Director (INED).

3.2.3 The CEO shall not be a member of RemNomCo. The CEO may be invited to attend for agenda items that do not relate to the CEO's own remuneration or performance assessment.

3.2.4 At least one member of RemNomCo shall have experience in executive remuneration, people leadership, or human resources at a senior level.

3.3 Quorum and Decisions¶

3.3.1 The quorum for a RemNomCo meeting shall be two members, provided the Chair is present.

3.3.2 Decisions shall be by simple majority of members present. No member shall participate in any decision concerning their own remuneration.

3.4 Standing Invitees¶

Chief Executive Officer (CEO) - except for agenda items relating to CEO remuneration or performance
Chief People Officer (CPO)
External remuneration adviser (where appointed)

3.5 Meeting Frequency¶

3.5.1 RemNomCo shall meet at least twice per calendar year (semi-annually), with meetings scheduled to align with the Group's budget process and annual performance cycle.

3.5.2 Additional meetings may be convened as required for time-sensitive matters, including Board appointments, fitness and propriety assessments, or material ESOP decisions.

3.6 Responsibilities¶

3.6.1 Executive Compensation¶

Set and review the remuneration of the CEO and members of the Executive Leadership Team, including base salary, bonus, and equity;
Approve the framework for the annual performance bonus cycle, including metrics, targets, and maximum award levels;
Review and approve the outcome of the annual performance assessment for the CEO and each ELT member, and the resulting bonus determinations;
Ensure that executive remuneration structures are consistent with the Remuneration Policy (SGP-GOV-001) and do not incentivise excessive risk-taking;
Review and approve any termination payments for executive directors or senior managers.

3.6.2 ESOP Governance¶

Approve the terms of the Simpaisa Holdings Employee Share Ownership Plan (ESOP) and any amendments;
Approve ESOP grants to eligible participants, including the number of options, exercise price, vesting schedule, and performance conditions;
Review the dilutive impact of ESOP grants on existing shareholders and ensure alignment with investor commitments;
Oversee compliance with the ESOP plan rules and reporting obligations.

3.6.3 Board Composition and Succession Planning¶

Lead the process for identifying and recommending candidates for appointment to the Board of Directors;
Review the Board's current composition, including skills, experience, diversity, and independence, and identify any gaps;
Develop and maintain a Board succession plan, including succession for the Board Chair, ARC Chair, and other Committee Chairs;
Review and maintain the Group's senior management succession plan, including contingency succession for the CEO and each ELT member;
Recommend to the Board the re-election of directors and the appointment of new directors.

3.6.4 Fit and Proper Assessments¶

Oversee the Group's fit and proper assessment process for Board members, senior managers, and Material Risk Takers, in accordance with DFSA requirements and applicable local regulatory standards;
Review and approve fit and proper assessments for any new Board appointment or senior management appointment;
Maintain a register of completed fit and proper assessments and ensure periodic reassessment;
Consider and manage any matter arising that may affect the fitness and propriety of an existing Board member or senior manager.

3.6.5 DFSA Remuneration Code Compliance¶

Ensure that the Group's remuneration arrangements for Material Risk Takers comply with the DFSA Remuneration Code applicable to a Category 3D firm;
Review the identification of Material Risk Takers annually;
Ensure that deferral, malus, and clawback provisions are applied appropriately;
Review and approve the DFSA Remuneration Disclosure (where applicable).

3.6.6 Group-Wide Remuneration Framework¶

Approve the Group Remuneration Policy (SGP-GOV-001) and any material amendments;
Review the Group's salary benchmarking process and the grade band structure annually;
Receive reports on the Group's gender pay gap and oversee actions to address material gaps;
Ensure that remuneration practices across all nine entities are consistent with Group policy and local regulatory requirements.

Part 4: Technology and Information Security Committee (TISCo)¶

4.1 Purpose¶

The Technology and Information Security Committee provides Board-level oversight of the Group's technology strategy, information security posture, cyber resilience, data governance, and technology-related operational resilience. Given that Simpaisa's core business is a digital payments platform, technology and information security are central to the Group's risk profile and its obligations to customers and regulators.

4.2 Composition¶

4.2.1 TISCo shall comprise a minimum of three members, including:

The Chief Digital Officer (CDO) - who shall serve as Chair;
The Chief Information Security Officer (CISO);
The Chief Technology Officer (CTO).

4.2.2 TISCo should include at least one non-executive director with technology or information security experience.

4.2.3 The Board shall consider the CDO's dual role (as both Committee Chair and First/Second Line executive) and shall satisfy itself that appropriate challenge from non-executive members is maintained.

4.3 Quorum and Decisions¶

4.3.1 The quorum for a TISCo meeting shall be two members, provided the CDO is present.

4.3.2 Decisions shall be by simple majority of members present.

4.4 Standing Invitees¶

Chief Executive Officer (CEO)
Chief Operating Officer (COO)
Chief Financial Officer (CFO) - for technology investment items
MLRO - for items with financial crime technology implications
Head of Engineering / VP Engineering (as relevant)
External technology advisers (as required)

4.5 Meeting Frequency¶

4.5.1 TISCo shall meet at least four times per calendar year (quarterly).

4.5.2 Emergency meetings may be convened by the CDO or CISO at any time in response to a significant cyber incident, critical vulnerability, or material technology failure.

4.6 Responsibilities¶

4.6.1 Technology Strategy¶

Review and recommend to the Board the Group's technology strategy and multi-year technology roadmap;
Assess the alignment of the technology strategy with the Group's commercial strategy and operational model;
Oversee the prioritisation of technology investment, including infrastructure, platform, and engineering capability;
Review and approve material technology architecture decisions, including platform selection, cloud strategy, and technology partnerships.

4.6.2 Information Security¶

Receive quarterly information security reports from the CISO, including metrics on threat landscape, vulnerability status, and security incidents;
Oversee the Group's Information Security Policy and programme;
Review the results of penetration testing, vulnerability assessments, and security audits;
Approve the Group's approach to security certifications, including ISO 27001 and PCI DSS;
Ensure that the Group's security posture is commensurate with its risk profile and regulatory obligations.

4.6.3 Cyber Resilience¶

Oversee the Group's cyber resilience programme, including incident response capability, cyber crisis management, and threat intelligence;
Receive reports on significant cyber incidents and the Group's response and remediation;
Review the results of cyber resilience exercises (e.g., tabletop exercises, red team exercises);
Ensure that recovery time and recovery point objectives for critical systems are defined and tested.

4.6.4 Data Governance¶

Oversee the Group's data governance framework, as managed by the CDO;
Review the Group's data quality, data lineage, and data classification standards;
Ensure compliance with applicable data protection obligations, including the Singapore PDPA, the UK GDPR, and equivalent frameworks in operating jurisdictions;
Review the Group's data retention and disposal policies and their implementation;
Oversee the Group's approach to customer data protection and privacy.

4.6.5 PCI DSS and ISO 27001 Compliance¶

Receive annual reports on the Group's PCI DSS compliance status and the scope of the Group's cardholder data environment;
Ensure that PCI DSS compliance obligations are understood and managed across all relevant entities and third parties;
Oversee the Group's ISO 27001 certification programme, where applicable;
Review material findings from PCI DSS assessments and approve remediation plans.

4.6.6 Operational Resilience (Technology Aspects)¶

Oversee the technology aspects of the Group's operational resilience framework, as set out in the Operational Resilience Policy (SGP-OPS-001);
Review the identification and mapping of Important Business Services that depend on technology infrastructure;
Ensure that impact tolerances for technology failures are defined, tested, and capable of being met;
Review the status of the Group's active-active disaster recovery capability;
Receive reports on major technology incidents that trigger or risk triggering impact tolerance breaches.

4.6.7 Technology Investment¶

Review and recommend to the Board material technology capital expenditure proposals, where these exceed delegated management authority;
Oversee the Group's technology vendor relationships and key technology partnerships;
Assess concentration risk arising from critical dependencies on a single technology provider or infrastructure platform.

Approval¶

Role	Name	Date
Board Chair	Nadeem Hussain	April 2026
CEO	Yassir Pasha	April 2026
ARC Chair	[INED Name]	April 2026
CDO	Daniel O'Reilly	April 2026

---¶

DOCUMENT 4: RISK APPETITE STATEMENT¶

SIMPAISA GROUP

RISK APPETITE STATEMENT

Field	Detail
Document Reference	SGP-GOV-009
Version	1.0
Status	Active
Owner	Board of Directors (via Audit and Risk Committee)
Approver	Board of Directors
Effective Date	1 April 2026
Next Review Date	1 April 2027
Classification	Confidential

Document Control¶

Revision History¶

Version	Date	Author	Changes
0.1	January 2026	CFO Office, Risk Management	Initial draft
0.2	February 2026	ARC, MLRO, CDO, CFO	Internal review and challenge
0.3	March 2026	ARC	Board discussion and amendment
1.0	April 2026	Board of Directors	Board-approved final version

Distribution¶

This statement is distributed to all members of the Board of Directors, all Board Committee members, and all members of the Executive Leadership Team. It is maintained on the board management system. Country heads and function heads shall be provided with the sections relevant to their responsibilities.

Three Lines of Defence Framework (SGP-GOV-007)
Internal Audit Charter (SGP-GOV-006)
AML/CFT Policy (SGP-FC-001)
Sanctions Policy (SGP-FC-002)
Operational Resilience Policy (SGP-OPS-001)
Information Security Policy
Treasury and Liquidity Policy (SGP-FIN-001)
Risk Management Framework (SGP-RISK-001)

1. Introduction and Purpose¶

This Risk Appetite Statement ("RAS") sets out the Board of Directors' view of the nature and extent of the risks that Simpaisa Group ("Simpaisa" or "the Group") is willing to accept in pursuit of its strategic objectives. It establishes the boundaries within which the Executive Leadership Team, management, and all employees are authorised to operate.

Simpaisa is a cross-border payments fintech operating nine entities across markets in South Asia, the Middle East, North America, the United Kingdom, and Singapore. The Group is in active growth phase, pursuing a DFSA Category 3D licence, and serving migrant workers, diaspora communities, and small businesses through digital payment corridors. The Risk Appetite Statement reflects both the ambition inherent in this strategy and the non-negotiable constraints that protect the Group's regulatory standing, customer trust, and financial integrity.

This statement is not a policy. It does not set out procedures or controls. Rather, it establishes the Board's expectations at a strategic level. The detailed controls and procedures through which risk appetite is operationalised are set out in the Group's policies and the Risk Management Framework.

The RAS is reviewed and approved by the Board annually, on the recommendation of the ARC. It is updated as required following material changes to the Group's strategy, risk profile, or operating environment. The ARC monitors adherence to the RAS on an ongoing basis and reports to the Board at least quarterly.

2. Risk Categories¶

2.1 Strategic Risk¶

Definition. The risk that the Group's strategy fails to deliver value, or that strategic decisions expose the Group to outcomes materially worse than anticipated.

Risk Appetite (Qualitative). The Board has a high appetite for strategic risk in areas that are core to the Group's growth ambition - specifically geographic expansion into new payment corridors, new product development within established business lines, and the deepening of technology capability. The Board has a medium appetite for M&A and inorganic growth, given the complexity and integration risk involved. The Board has a low appetite for strategic initiatives that could compromise the Group's regulatory standing or create reputational harm, regardless of their financial attractiveness.

Risk Tolerances (Quantitative).

Strategic Risk Area	Tolerance
Geographic market entry	Entry into up to three new markets per year, provided each has completed the Group's market entry risk assessment and received Board approval.
New product launch	Up to four material new product features or lines per year, provided each passes the Product Risk Approval process with Second Line sign-off.
M&A / inorganic growth	No M&A transaction to be executed without a dedicated Board-approved due diligence process and ARC review of the risk profile of the target. Single transaction value: Board approval required above USD 5 million.
Strategy execution	The Group's annual operating plan shall not deviate from Board-approved budget by more than 20% revenue variance without a formal Board replan.

Key Controls. Market entry risk assessment framework; product launch governance process; annual strategic planning cycle with Board approval; M&A due diligence protocol; OKR framework with quarterly Board review.

Escalation Trigger. Proposed market entry into a jurisdiction classified as High Risk by the FATF or the Group's own sanctions risk framework; any proposed M&A target with unresolved regulatory, financial crime, or reputational concerns; revenue deviation exceeding 20% versus plan.

Board Reporting Frequency. Quarterly (strategy OKR update); annually (strategic plan approval).

2.2 Credit and Counterparty Risk¶

Definition. The risk of financial loss arising from the failure of a counterparty - including merchants, banking partners, payment scheme operators, or FX providers - to meet its obligations.

Risk Appetite (Qualitative). The Board has zero appetite for extending unsecured credit to merchants or commercial counterparties. The Group operates a float-funded settlement model and does not take credit risk on merchant receivables. The Board has a low appetite for concentration risk in its banking relationships and a medium appetite for concentration in payment scheme partnerships, provided that adequate contingency arrangements exist.

Risk Tolerances (Quantitative).

Credit / Counterparty Area	Tolerance
Merchant credit	Zero. No unsecured merchant credit facilities. All merchant settlements funded from pre-deposited float or post-receipt of funds from sending side.
Single banking counterparty	Maximum of 40% of Group liquidity reserves held with any single banking institution. [CFO to confirm absolute threshold.]
Single payment scheme dependency	No single payment scheme to represent more than 60% of total transaction volume, with a secondary scheme operational for each corridor within 12 months of launch.
FX counterparty	Maximum FX settlement exposure to any single counterparty: [TBC by CFO - recommended USD 2 million or 15% of daily FX volume, whichever is lower].
Correspondent banking	All correspondent banking relationships subject to annual due diligence review. No correspondent relationship to be retained where the due diligence review produces an unsatisfactory outcome.

Key Controls. Merchant float pre-funding requirement; counterparty credit assessment at onboarding; banking concentration monitoring by CFO; payment scheme resilience testing; correspondent bank due diligence programme.

Escalation Trigger. Any single banking counterparty exceeding 40% of Group liquidity reserves; any correspondent bank receiving an unsatisfactory due diligence assessment; any payment scheme failure affecting more than 20% of transaction volume.

Board Reporting Frequency. Quarterly (counterparty exposure summary); immediately for any escalation trigger.

2.3 Operational Risk¶

Definition. The risk of loss resulting from inadequate or failed internal processes, people, systems, or external events, including fraud, error, system outage, and third-party failure.

Risk Appetite (Qualitative). The Board has a low overall appetite for operational risk, given that the Group's payment processing service is time-critical for its customers (migrant workers remitting funds to dependants) and that operational failures carry both direct financial and significant reputational consequences. The Board is willing to accept a degree of operational risk in the context of rapid growth and technology development, provided that controls are proportionate and resilient.

Risk Tolerances (Quantitative).

Operational Area	Tolerance
Payment processing availability	Target uptime: 99.9% per month for all production payment processing systems. Unplanned downtime in excess of 8.7 hours per month (equivalent to <99.9%) constitutes a breach requiring ARC notification.
Transaction screening	Zero tolerance for any customer transaction to be processed without completion of applicable sanctions and AML screening. Screening failures triggering transaction processing without alert review constitute a Critical finding.
Reconciliation breaks	Maximum age for any unresolved settlement or float reconciliation break: five business days. Breaks remaining unresolved beyond five business days to be reported to CFO and MLRO immediately.
Operational incident response	All Priority 1 (Critical) operational incidents to have a qualified incident commander engaged within 30 minutes. Post-incident review to be completed within ten business days.
Fraud loss	Target: gross fraud losses not to exceed 0.05% of total transaction value (TPV) per quarter. Breach of this threshold to trigger review of fraud controls by Second Line and report to ARC.
Third-party failure	Critical third-party service providers (payment processors, cloud infrastructure, screening vendors) to have contractually committed recovery time objectives of no more than four hours.

Key Controls. Active-active infrastructure deployment; automated transaction screening integrated into payment processing flow; daily settlement reconciliation; incident management framework (SGP-OPS-001); fraud detection systems; third-party SLA monitoring; business continuity and disaster recovery testing.

Escalation Trigger. Payment processing downtime exceeding 99.9% target; any unscreened transaction; reconciliation break exceeding five business days; fraud losses exceeding 0.05% TPV; Priority 1 incident not resolved within four hours.

Board Reporting Frequency. Quarterly (operational KRI dashboard); immediately for Critical operational incidents.

2.4 Financial Crime Risk¶

Definition. The risk that the Group is used, whether knowingly or unknowingly, to facilitate money laundering, terrorist financing, sanctions evasion, bribery, corruption, or other financial crime.

Risk Appetite (Qualitative). The Board has zero appetite for facilitating money laundering or terrorist financing in any form. The Group will not knowingly process transactions connected with financial crime and will take all reasonable steps to prevent the Group from being used for such purposes. The Board adopts a conservative approach to high-risk jurisdictions - specifically Pakistan, Bangladesh, Nepal, and Iraq, all of which are within the Group's primary market set - recognising that these markets are central to the Group's commercial strategy but require enhanced controls and heightened vigilance.

The Board does not regard zero appetite for financial crime risk as incompatible with operating in higher-risk markets. Rather, it requires that the controls applied in those markets are proportionate to the risks.

Risk Tolerances (Quantitative).

Financial Crime Area	Tolerance
AML/CFT	Zero tolerance for processing any transaction where a suspicious activity report has been raised and not cleared by the MLRO or a delegated deputy, except where tipping-off concerns require processing to continue under MLRO direction.
Sanctions	Zero tolerance for processing any transaction involving a designated person or entity, or a jurisdiction subject to comprehensive sanctions applicable to the Group. Any sanctions screening system downtime exceeding 30 minutes must result in transaction processing being suspended.
High-risk customers (PEPs, high-risk jurisdictions)	Enhanced due diligence required for all Politically Exposed Persons and for all customers in FATF-identified high-risk jurisdictions. EDD approval by MLRO or nominated deputy required before onboarding.
STR timeliness	100% of Suspicious Transaction Reports to be submitted to the relevant Financial Intelligence Unit within the applicable regulatory deadline. Any breach of STR reporting timelines to be reported to the ARC immediately.
Fraud (financial crime)	Internal fraud: zero tolerance. Any confirmed internal fraud to be reported to the ARC and, where applicable, to the DFSA and relevant law enforcement.
Bribery and corruption	Zero tolerance. Any confirmed bribery or corruption by a Simpaisa employee or agent to be reported to the Board and the relevant regulator.

Key Controls. AML/CFT programme (SGP-FC-001); sanctions policy and screening programme (SGP-FC-002); customer risk rating and segmentation; transaction monitoring system; STR process; MLRO oversight; EDD programme; staff AML/CFT training; financial crime risk assessment reviewed annually.

Escalation Trigger. Any potential sanctions breach; any STR submitted to a FIU involving a transaction above USD 100,000; any regulatory inquiry relating to financial crime; any internal fraud involving a person with system access to client funds; any identified failure in screening controls.

Board Reporting Frequency. Quarterly (MLRO report including AML/CFT statistics); annually (MLRO annual report); immediately for any sanctions breach, STR involving a senior employee, or regulatory inquiry.

2.5 Regulatory Risk¶

Definition. The risk of regulatory sanctions, financial penalties, licence suspension or revocation, or other adverse regulatory action arising from non-compliance with applicable laws, regulations, rules, or licence conditions.

Risk Appetite (Qualitative). The Board has zero tolerance for deliberate or reckless non-compliance with applicable regulatory requirements. The Group is committed to meeting all its regulatory obligations across all nine entities and all operating jurisdictions. The Board expects the Group to engage proactively and transparently with all regulators and to self-report breaches promptly where required.

The Board recognises that, as a multi-jurisdictional group in rapid growth, the risk of inadvertent regulatory breach is not zero. The tolerance is for minor, promptly self-reported, and promptly remediated breaches only - and does not extend to systemic non-compliance, deliberate breach, or failure to report a breach.

Risk Tolerances (Quantitative).

Regulatory Area	Tolerance
DFSA licence conditions	Zero tolerance for any breach of a DFSA licence condition. All actual or potential licence condition breaches to be reported to the ARC Chair and MLRO within 24 hours of identification.
Regulatory reporting	100% on-time submission of all regulatory returns (financial, AML/CFT, statistical) to all regulators. Any missed submission deadline to be reported to the ARC and the CEO immediately.
Regulatory fines	Target: zero regulatory fines. Any fine or enforcement action, regardless of amount, to be reported to the full Board immediately.
Regulatory notifications	All mandatory regulatory notifications to be made within the applicable regulatory deadline. A log of all regulatory notifications to be maintained and reviewed by the ARC quarterly.
Cross-border regulatory obligations	Compliance with applicable regulatory requirements in each of PK, BD, NP, IQ, UAE (non-DIFC), CA, UK, and SG, as assessed by local counsel and the Group's compliance function.

Key Controls. Regulatory compliance monitoring programme; regulatory change management process; MLRO oversight; local regulatory counsel retained in each jurisdiction; ARC oversight; licence condition register; regulatory reporting calendar with owners and deadlines.

Escalation Trigger. Any actual or potential DFSA licence condition breach; any missed regulatory reporting deadline; any regulatory investigation, enforcement inquiry, or supervisory request for information; any fine or penalty imposed by any regulator on any Group entity.

Board Reporting Frequency. Quarterly (regulatory compliance update from MLRO and CRC); immediately for any licence condition breach, regulatory fine, or enforcement action.

2.6 Technology and Cyber Risk¶

Definition. The risk of loss, disruption, or harm arising from technology failures, cyber attacks, data breaches, software vulnerabilities, or inadequate technology controls.

Risk Appetite (Qualitative). The Board has a low appetite for technology and cyber risk overall, given the Group's status as a digital-first payments business where technology is both the primary value delivery mechanism and a principal risk vector. The Board has zero tolerance for known, unpatched critical vulnerabilities persisting beyond defined remediation timescales, and zero tolerance for any data breach affecting customer personal data or payment credentials.

The Board recognises that absolute prevention of all cyber incidents is not achievable, and accepts a residual level of technology risk commensurate with the Group's stage of development and investment capacity, provided that detection and response capabilities are robust.

Risk Tolerances (Quantitative).

Technology / Cyber Area	Tolerance
Critical vulnerability patching	Zero tolerance for any Critical (CVSS 9.0+) vulnerability remaining unpatched for more than seven calendar days following identification and vendor patch availability. High (CVSS 7.0–8.9) vulnerabilities: 30-day remediation deadline.
Active-active disaster recovery	Mandatory for all production payment processing infrastructure. The Group shall not operate critical payment processing on a single-site or active-passive basis. Recovery Time Objective (RTO): four hours maximum for all Important Business Services. Recovery Point Objective (RPO): one hour maximum.
Penetration testing	External penetration test of production systems and infrastructure at least annually. Results reviewed by TISCo and CISO. Critical findings from penetration testing remediated within 30 days.
Customer data breach	Zero tolerance. Any confirmed breach of customer personal data or payment credentials to be reported to the ARC Chair, CEO, and MLRO within two hours of confirmation. Regulatory notification obligations to be assessed immediately.
Security incident response	All Severity 1 security incidents to have an incident commander engaged within 15 minutes. Containment actions commenced within one hour.
Third-party cloud concentration	No single cloud provider to host more than 80% of production workloads without a documented multi-cloud or hybrid contingency plan approved by TISCo.
PCI DSS compliance	Annual PCI DSS assessment for all in-scope systems. Zero tolerance for any PCI DSS non-compliance in the cardholder data environment that is not subject to an approved compensating control.

Key Controls. Vulnerability management programme; patch management process with SLA enforcement; active-active infrastructure deployment; endpoint detection and response tooling; security information and event management (SIEM); penetration testing programme; data loss prevention controls; incident response playbooks; PCI DSS compliance programme; ISO 27001 (where certified); TISCo oversight.

Escalation Trigger. Any Critical vulnerability unpatched beyond seven days; any confirmed or suspected customer data breach; any active cyber attack affecting production systems; RTO or RPO breach; PCI DSS non-compliance in the cardholder data environment; cloud provider outage affecting payment processing.

Board Reporting Frequency. Quarterly (CISO report to TISCo, reported to Board); immediately for any confirmed customer data breach, active cyber attack, or availability breach.

2.7 Liquidity Risk¶

Definition. The risk that the Group does not have sufficient liquid resources to meet its financial obligations as they fall due, including settlement obligations, operational expenses, and regulatory capital requirements.

Risk Appetite (Qualitative). The Board has a low appetite for liquidity risk. Simpaisa operates a real-time or near-real-time payment service where the timeliness of settlement is central to the customer proposition and a regulatory expectation. The Group shall at all times maintain sufficient liquid resources to meet its settlement obligations, its regulatory capital requirements, and its operating expenditure commitments.

Risk Tolerances (Quantitative).

Liquidity Area	Tolerance
Minimum cash runway	Minimum 30 calendar days' operating expenditure held in immediately accessible Group liquid assets at all times. Breach of this threshold requires immediate notification to the CFO and ARC Chair, with a remediation plan presented to the Board within five business days.
Settlement float funding	Settlement float accounts to be fully funded at all times. The Group shall not process outbound payment instructions where the relevant settlement account does not hold sufficient funds to cover the payment. Zero tolerance for settlement float deficits.
Regulatory capital	The DIFC-regulated entity shall maintain regulatory capital at a minimum of 110% of the DFSA's minimum capital requirement at all times. Breach of 115% threshold to trigger a management action plan.
Liquidity stress testing	The CFO shall conduct quarterly liquidity stress tests against scenarios including: (a) 30% reduction in monthly TPV; (b) loss of a major corridor; (c) a 72-hour operational outage. Results reported to ARC quarterly.
Intra-day liquidity	Pre-funded float accounts to be monitored intra-day. Any float account falling below 120% of expected settlement obligations for the following four hours to trigger a top-up alert to Treasury.

Key Controls. Daily treasury and cash management reporting; settlement float monitoring (real-time); liquidity stress testing (quarterly); regulatory capital monitoring; banking relationship diversification; credit facility (where available) as a contingency liquidity backstop; ARC oversight of liquidity position.

Escalation Trigger. Cash runway falling below 30 days; any settlement float deficit; regulatory capital falling below 110% of requirement; inability to execute a liquidity stress test due to data or system failure.

Board Reporting Frequency. Quarterly (liquidity and capital report from CFO to ARC); immediately for any settlement float deficit or 30-day runway breach.

2.8 Foreign Exchange Risk¶

Definition. The risk of financial loss arising from adverse movements in foreign exchange rates on positions held by the Group in the course of its payments operations, treasury management, or other activities.

Risk Appetite (Qualitative). The Board has a low appetite for foreign exchange risk. The Group's primary business involves converting currencies in the execution of cross-border payment transactions, and some degree of intra-day FX exposure is inherent in this model. The Board does not accept speculative FX positions. Open FX positions above defined thresholds shall be hedged.

Risk Tolerances (Quantitative).

FX Risk Area	Tolerance
Maximum open FX position	Maximum net open FX position across all currencies: [TBC by CFO - recommended: USD 500,000 equivalent aggregate, or 2% of monthly TPV, whichever is lower]. Any open position exceeding this limit requires CFO approval and ARC notification at the next quarterly meeting.
Hedging requirement	FX positions above 50% of the maximum open position threshold must be hedged using approved instruments (spot, forward, or option contracts with approved counterparties).
FX counterparty	FX hedging and conversion counterparties to be pre-approved by the CFO. No FX transaction above USD 250,000 equivalent to be executed with a counterparty that does not hold an appropriate regulatory authorisation in its home jurisdiction.
Currency concentration	No single non-USD, non-AED currency to represent more than 30% of the Group's net open position without CFO approval.
Revaluation and reporting	All open FX positions to be marked to market daily. FX P&L reported to CFO daily and to ARC quarterly.

Key Controls. FX position limits; real-time FX position monitoring; hedging programme; pre-approved counterparty list; daily mark-to-market revaluation; CFO oversight; treasury management system.

Escalation Trigger. Any open FX position exceeding the approved limit; any FX hedging counterparty credit event; FX losses exceeding USD 100,000 equivalent in any single month.

Board Reporting Frequency. Quarterly (FX exposure and hedging report from CFO to ARC); immediately for any position limit breach or material FX loss.

2.9 Reputational Risk¶

Definition. The risk of damage to the Group's reputation, brand, or standing with customers, regulators, investors, or the public, arising from any action, event, media coverage, or perceived failure.

Risk Appetite (Qualitative). The Board has zero tolerance for reputational damage arising from conduct failures, customer data breaches, financial crime associations, or regulatory sanctions. The Group's business depends on the trust of vulnerable customers - migrant workers remitting funds to dependants - and the loss of that trust would be existential.

The Board has a medium appetite for reputational risk arising from legitimate commercial decisions (e.g., market exits, product changes, pricing adjustments) provided that these are communicated proactively, honestly, and with appropriate customer notice.

Risk Tolerances (Quantitative).

Reputational Area	Tolerance
Customer data breach	Zero tolerance. Any confirmed customer data breach to be notified to the ARC Chair, CEO, and MLRO within two hours of confirmation. External communications strategy to be approved by CEO before any public statement. Regulatory notifications to be made within applicable deadlines.
Media and public communications	No Group spokesperson other than the CEO, CDO, or an approved communications adviser shall make statements on material risk events, regulatory matters, or financial crime to external media.
Regulatory sanctions	Zero tolerance for public regulatory sanctions. Any regulatory fine or enforcement action, regardless of size, to be disclosed to the full Board immediately and communicated transparently in regulatory filings where required.
Social media and reputational monitoring	CISO and Marketing functions to monitor material brand and reputational mentions. Any emerging reputational issue to be escalated to the CEO and CDO within 24 hours of identification.
Customer complaint rates	Material increase (>50% month-on-month) in complaint volumes relating to a specific product, corridor, or issue to be escalated to the COO and ARC within five business days.

Key Controls. Crisis communications protocol; media management policy; customer data protection controls; regulatory compliance programme; customer complaints management framework; reputational risk monitoring by Communications and CISO; CEO and CDO communications approval process.

Escalation Trigger. Any confirmed customer data breach; any regulatory fine or enforcement action; any media inquiry relating to financial crime, data breach, or regulatory action; customer complaint volume spike exceeding 50% month-on-month.

Board Reporting Frequency. Quarterly (reputational risk dashboard to ARC); immediately for any data breach, regulatory sanction, or material adverse media event.

3. Risk Appetite Summary Table¶

Risk Category	Appetite Level	Key Tolerance	Board Reporting
Strategic	High (growth); Medium (M&A); Low (regulatory)	Max 3 new markets/year; Board approval for M&A >USD 5m	Quarterly
Credit / Counterparty	Zero (merchant credit); Low (banking concentration)	Max 40% of liquidity with single bank; zero unsecured merchant credit	Quarterly
Operational	Low	99.9% uptime; zero unscreened transactions; 5-day reconciliation break limit	Quarterly; immediate for Critical incidents
Financial Crime	Zero	Zero ML/TF; zero sanctions processing; 100% STR timeliness	Quarterly; immediate for breaches
Regulatory	Zero (deliberate); Low (inadvertent)	Zero DFSA licence condition breaches; 100% on-time reporting	Quarterly; immediate for breaches
Technology / Cyber	Zero (critical unpatched); Low (overall)	7-day critical patch SLA; Active-active DR mandatory; zero customer data breach	Quarterly; immediate for breaches
Liquidity	Low	30-day cash runway; fully funded float at all times	Quarterly; immediate for breaches
FX	Low	Open position limits [TBC by CFO]; hedging required above threshold	Quarterly; immediate for limit breaches
Reputational	Zero (conduct / data); Medium (commercial)	Zero tolerance customer data breach; approved communications only	Quarterly; immediate for breaches

4. Governance and Monitoring¶

4.1 The ARC is responsible for monitoring adherence to this Risk Appetite Statement on behalf of the Board. The ARC shall receive a consolidated risk appetite monitoring report at each quarterly meeting from the Chief Risk Officer (or CFO in the absence of a dedicated CRO), covering each risk category.

4.2 The MLRO shall provide the ARC with a separate quarterly report on financial crime risk appetite adherence, including AML/CFT and sanctions metrics.

4.3 The CISO and CDO shall provide TISCo with a quarterly report on technology and cyber risk appetite adherence, the results of which shall be reported to the full Board.

4.4 Any breach of a stated risk tolerance shall be reported to the ARC Chair immediately by the relevant function head (CFO, MLRO, CISO, COO, as applicable). The ARC Chair shall determine whether an emergency ARC meeting or Board notification is required.

4.5 The CEO is responsible for ensuring that the Group's operations are conducted within this Risk Appetite Statement. The CEO shall report to the Board at each quarterly meeting on the Group's overall risk position relative to appetite.

4.6 This Risk Appetite Statement shall be reviewed and reapproved by the Board annually, or on an ad hoc basis following: - A material change in the Group's strategy or operating model; - A significant risk event or regulatory action; - Material change in the Group's regulatory status (e.g., grant or amendment of the DFSA licence); - Acquisition of a new entity or entry into a materially new market.

5. Approval¶

Role	Name	Date
Board Chair	Nadeem Hussain	April 2026
ARC Chair	[INED Name]	April 2026
CEO	Yassir Pasha	April 2026
CFO	Mohammad Mustafa	April 2026
MLRO	Shoukat Bizinjo	April 2026

This Risk Appetite Statement is approved by the Board of Directors of Simpaisa Holdings Pte Ltd and applies across all Group entities. It is a Board-level document and is not to be shared externally without the approval of the Board Chair.

End of Simpaisa Group - Regulatory Governance Suite

Simpaisa Group - Regulatory Governance Suite¶

DOCUMENT 1: INTERNAL AUDIT CHARTER¶

Document Control¶

Revision History¶

Distribution¶

Related Documents¶

1. Purpose and Scope¶

1.1 Purpose¶

1.2 Scope¶

2. Definitions¶

3. Mission and Mandate¶

3.1 Mission¶

3.2 Authority¶

3.3 Independence and Objectivity¶

4. Audit Universe and Risk-Based Planning¶

4.1 Audit Universe¶

4.2 Risk Assessment¶

4.3 Risk-Based Audit Plan¶

5. Conduct of Audit Engagements¶

5.1 Standards¶

5.2 Engagement Planning¶

5.3 Fieldwork¶

5.4 Reporting¶

5.5 Finding Rating Scale¶

6. Reporting to the Audit and Risk Committee¶

6.1 Quarterly Reporting¶

6.2 Annual Report¶

6.3 Critical Finding Escalation¶

7. Follow-Up and Management Action Plans¶

7.1 Management Accountability¶

7.2 Overdue Findings¶

7.3 Thematic Reviews¶

8. Staffing and Resourcing¶

8.1 Current Phase: Outsourced Model¶

8.2 Transition to In-House Model¶

8.3 Budget¶

9. Quality Assurance and Continuous Improvement¶

9.1 Internal Quality Assurance¶

9.2 External Quality Assessment¶

9.3 Conformance Declaration¶

10. Regulatory Context¶

10.1 DFSA Requirements¶

10.2 Multi-Jurisdictional Considerations¶

11. Charter Maintenance¶

12. Approval¶

---¶

DOCUMENT 2: THREE LINES OF DEFENCE FRAMEWORK¶

Document Control¶

Revision History¶

Related Documents¶

1. Purpose¶

2. The Three Lines of Defence Model¶

3. First Line of Defence: Business and Operations¶

3.1 Role and Responsibilities¶

3.2 First Line Functions at Simpaisa¶

3.3 First Line Control Expectations¶

4. Second Line of Defence: Risk and Compliance Oversight¶

4.1 Role and Responsibilities¶

4.2 Second Line Functions at Simpaisa¶

4.3 Second Line Independence¶

5. Third Line of Defence: Internal Audit¶

5.1 Role and Responsibilities¶

5.2 Reporting Line¶

6. Function Mapping Summary¶

7. Escalation Paths Between Lines¶

8. Board and Governance Oversight¶

9. Annual Review¶

10. Approval¶

---¶

DOCUMENT 3: BOARD COMMITTEE TERMS OF REFERENCE¶

Document Control¶

Revision History¶

Distribution¶

Related Documents¶

Preliminary: Common Provisions¶

Part 1: Audit and Risk Committee (ARC)¶

1.1 Purpose¶

1.2 Composition¶

1.3 Quorum and Decisions¶

1.4 Standing Invitees¶